Killnag Tutorial

Thursday, May 26 2005 @ 04:38 AM CEST

Contributed by: thorpe

Level : newbie

Patching Nagscreens in this target [file:20050522170128797 here]

Gathering Information
---------------------------
Ok as always you should run the target first to see how the program works before diving into the code. We are presented with a nag when the target is run.
Important thing to notice is this is a message box with the text "Oh, do you like this program?" Also, if you press exit you are presented with another message box nag screen stating "Oh, did you forget this one?"

Finding where the nags are called
----------------------------------------
Instead of just scrolling through the code for MessageBoxA calls, we are going to set a breakpoint. Reasoning? A program could have the text encrypted, etc so the mentioned method of scrolling simply won't fly for many programs. MessageBoxA incase you didn't know is located within USER32.dll, so Alt-E to view executable modules. Right click on USER32.dll and choose "View Names". In this new window, locate MessageBoxA, click on it once, and hit F2 (toggle breakpoint). Press F9 to run the program and we end up landing in USER32.dll. If you look a little below you can see the following line:

77D8052A E8 2D000000 CALL USER32.MessageBoxExA

This guy is responsible for the message box, however we are within USER32.dll and want to find how we got here. A nice trick we can do is to look at the call stack (Alt-k) to see how we got here. After pressing Alt-k we see at the top where this was called from and details about this message box including the title, text, etc. It says that MessageBoxA was called from KillNag.00401085. So if we double click that line we will be brought to this location.

Patching the Nags
---------------------
Now that we are in the right location take a look around. If you look above you will notice this line:

00401074 > 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]

The '>' indicates that this location was reached by a jump. If you click/highlight this line, the small pane below will say "Jump from 00401012". You can also view this information by right clicking on the code and selecting "Find references to"->"selected command" which is Ctrl-R. You can reach this mentioned jump location by right clicking on the pane and selecting "Go to JE from..." or double clicking on the line in the window from Ctrl-R. Just to make sure we are all on the same page we should be here:

00401012 74 60 JE SHORT KillNag.00401074

Now, we don't want to jump, otherwise we get that stupid nag. So what we can do is NOP the line of code so that we never have to worry about this. So right click -> "Binary" -> "Fill with Nops". Ok the first nag is taken care of. Now we have to get rid of the message box that is on exit. If you look right below where we are at we can see it:

You could have also found this location by just pressing exit and letting Ollydbg break on MessageBoxA again. Anyhoo, if you look above this you will find the line:

0040104A > 56 PUSH ESI

Again, we arrive at this location by a jump. So we have to get rid of the jump to this nag screen. Apply the same methods we used before to reach the line of code with the jump. You should be at this location:

00401026 . 74 22 JE SHORT KillNag.0040104A

So just as we did to the other jump, NOP this line of code. Alright now save your patched program by right-click->"Copy to executable"->"all modifications" then click "copy all" on the messagebox. Then right-click in the new window -> "Backup"->"save data to file". If we run the program it has no first nag, that's good. But click the exit button... well there is no nag but we also don't exit the program!

I showed this because it is likely a mistake that many beginners will make on this program. So letís reload the program into Olly. If you look right below the 2nd nag in Olly you will notice a "WM_CLOSE". Hmm think this is responsible for closing our application? ;)

If you think for a little bit you will also notice that you can just jump to WM_CLOSE instead of jumping to that stupid nag code. So go back to the jump responsible for the exit nag. Now we want this NOT to jump to 0040104A (nag code), but to 00401093 (WM_CLOSE). So right click-> "assemble" and change 0040104A to 00401093.

Run the program and wallah! It works :)

Final thoughts: A little lengthy, but I put a lot of basic stuff in here to help out those who are new to Ollydbg.